Middleboxes No Longer Considered Harmful

Intermediate network elements, such as network address translators (NATs), firewalls, and transparent caches are now commonplace. The usual reaction in the network architecture community to these so-called middleboxes is a combination of scorn (because they violate important architectural principles) and dismay (because these violations make the Internet less flexible). While we acknowledge these concerns, we also recognize that middleboxes have become an Internet fact of life for important reasons. To retain their functions while eliminating their dangerous side-effects, we propose an extension to the Internet architecture, called the Delegation-Oriented Architecture (DOA), that not only allows, but also facilitates, the deployment of middleboxes. DOA involves two relatively modest changes to the current architecture: (a) a set of references that are carried in packets and serve as persistent host identifiers and (b) a way to resolve these references to delegates chosen by the referenced host.

[1]  Avishai Wool,et al.  Firmato: A novel firewall management toolkit , 2004, TOCS.

[2]  Angelos D. Keromytis,et al.  The STRONGMAN architecture , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[3]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[4]  Jonathan D. Rosenberg,et al.  Middlebox communication architecture and framework , 2002, RFC.

[5]  Melinda Shore,et al.  Middlebox Communications (midcom) Protocol Requirements , 2002, RFC.

[6]  Hari Balakrishnan,et al.  An end-to-end approach to host mobility , 2000, MobiCom '00.

[7]  Ralph Droms,et al.  What's In A Name: Thoughts from the NSRG , 2003 .

[8]  Tony Hain,et al.  Architectural Implications of NAT , 2000, RFC.

[9]  I. Stoica,et al.  Supporting Legacy Applications over i 3 , 2004 .

[10]  Mark Handley,et al.  From protocol stack to protocol heap: role-based architecture , 2003, CCRV.

[11]  David D. Clark,et al.  The design philosophy of the DARPA internet protocols , 1988, SIGCOMM '88.

[12]  Jerome H. Saltzer,et al.  End-to-end arguments in system design , 1984, TOCS.

[13]  Andrew G. Malis,et al.  A Framework for IP Based Virtual Private Networks , 2000, RFC.

[14]  Ben Y. Zhao,et al.  Tapestry: a resilient global-scale overlay for service deployment , 2004, IEEE Journal on Selected Areas in Communications.

[15]  Michael S. Borella,et al.  Realm Specific IP: Protocol Specification , 2001, RFC.

[16]  Bryan Ford,et al.  Unmanaged Internet Protocol , 2004, Comput. Commun. Rev..

[17]  David R. Cheriton,et al.  An Architecture for Content Routing Support in the Internet , 2001, USITS.

[18]  Pyda Srisuresh,et al.  Traditional IP Network Address Translator (Traditional NAT) , 2001, RFC.

[19]  David D. Clark,et al.  Addressing reality: an architectural response to real-world demands on the evolving Internet , 2003, FDNA '03.

[20]  Matt Holdrege,et al.  IP Network Address Translator (NAT) Terminology and Considerations , 1999, RFC.

[21]  Michael Walfish,et al.  Untangling the Web from DNS , 2004, NSDI.

[22]  Paul Francis,et al.  Addressing in internetwork protocols , 1994 .

[23]  Charles Lynn,et al.  Endpoint Identifier Destination Option , 1996 .

[24]  Peter Druschel,et al.  Pastry: Scalable, distributed object location and routing for large-scale peer-to- , 2001 .

[25]  David Mazières,et al.  A Toolkit for User-Level File Systems , 2001, USENIX Annual Technical Conference, General Track.

[26]  Samuel J. Leffler,et al.  The design and implementation of the 4.3 BSD Unix operating system , 1991, Addison-Wesley series in computer science.

[27]  Christian Huitema,et al.  STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs) , 2003, RFC.

[28]  Scott Shenker,et al.  Spurring Adoption of DHTs with OpenHash, a Public DHT Service , 2004, IPTPS.

[29]  S. Bellovin Distributed Firewalls , 1994 .

[30]  Brian E. Carpenter,et al.  Middleboxes: Taxonomy and Issues , 2002, RFC.

[31]  Stephen Deering,et al.  Internet Protocol Version 6(IPv6) , 1998 .

[32]  David Wetherall,et al.  Preventing Internet denial-of-service with capabilities , 2004, Comput. Commun. Rev..

[33]  David R. Karger,et al.  Wide-area cooperative storage with CFS , 2001, SOSP.

[34]  Lixia Zhang,et al.  Separating Identifiers and Locators in Addresses: An Analysis of the GSE Proposal for IPv6 , 1999 .

[35]  Charles E. Perkins,et al.  A Mobile Host Protocol Supporting Route Optimization and Authentication , 1995, IEEE J. Sel. Areas Commun..

[36]  Keith Bostic,et al.  The design and implementa-tion of the 4.4BSD operating system , 1996 .

[37]  Eddie Kohler,et al.  The Click modular router , 1999, SOSP.

[38]  Radia Perlman Understanding IKEv2: Tutorial, and rationale for decisions , 2003 .

[39]  David D. Clark,et al.  FARA: reorganizing the addressing architecture , 2003, FDNA '03.

[40]  Timothy Roscoe,et al.  Predicate routing: enabling controlled networking , 2003, CCRV.

[41]  David R. Karger,et al.  Looking up data in P2P systems , 2003, CACM.

[42]  J. Noel Chiappa,et al.  The Nimrod Routing Architecture , 1996, RFC.

[43]  Paul Francis,et al.  IPNL: A NAT-extended internet architecture , 2001, SIGCOMM '01.

[44]  Scott Shenker,et al.  Internet indirection infrastructure , 2004, IEEE/ACM Transactions on Networking.

[45]  Michael O'Dell,et al.  GSE - An Alternate Addressing Architecture for IPv6 , 1997 .

[46]  Robert Tappan Morris,et al.  DNS performance and the effectiveness of caching , 2001, IMW '01.

[47]  Jerome H. Saltzer,et al.  On the Naming and Binding of Network Destinations , 1993, RFC.

[48]  Emin Gün Sirer,et al.  Beehive: O(1) Lookup Performance for Power-Law Query Distributions in Peer-to-Peer Overlays , 2004, NSDI.

[49]  Steven G. Johnson,et al.  The Design and Implementation of FFTW3 , 2005, Proceedings of the IEEE.

[50]  Pekka Nikander,et al.  Integrating Security, Mobility and Multi-Homing in a HIP Way , 2003, NDSS.

[51]  Angelos D. Keromytis,et al.  Implementing a distributed firewall , 2000, CCS.

[52]  Antony I. T. Rowstron,et al.  Pastry: Scalable, Decentralized Object Location, and Routing for Large-Scale Peer-to-Peer Systems , 2001, Middleware.

[53]  David Mazières,et al.  Separating key management from file system security , 1999, SOSP.

[54]  Jon Postel,et al.  Internet Protocol , 1981, RFC.

[55]  Michael Walfish,et al.  A layered naming architecture for the internet , 2004, SIGCOMM '04.

[56]  Antony I. T. Rowstron,et al.  Storage management and caching in PAST, a large-scale, persistent peer-to-peer storage utility , 2001, SOSP.

[57]  Yakov Rekhter,et al.  Address Allocation for Private Internets , 1994, RFC.

[58]  Robert Tappan Morris,et al.  DNS performance and the effectiveness of caching , 2002, TNET.

[59]  Mark Handley,et al.  SIP: Session Initiation Protocol , 1999, RFC.